IT Security advice for users of the CIP pool
The CIP pool administrators have found that several IT security aspects are not being paid attention to - either wilfully or through negligence. We therefore ask users, especially less experienced ones, to make themselves familiar with the existing rules and comply with them when using the CIP pool. Please read the following information carefully, and get to know the basic rules of password protection, the specific features of the computer systems used in the CIP pool, and how you can effectively protect yourself and others against account misuse and data theft.
2. LMU account
With a single login users can access numerous services, including online registration for written examinations, tuition fee accounts, e-mail accounts, the LMU Portal, virtual seminar rooms, computer workplaces in the libraries and faculties, and VPN-secured Internet access via WLAN. This is very convenient on the one hand, on the other there is a security risk in the fact that a single login authenticates a user to all areas and functions offered. The security of this single sign-on system relies on you to keep your password secret. Therefore please adhere to the following rules to prevent others from accessing sensitive data or misusing your identity.
- Do not choose an easy-to-guess password. The password should be at least 8 characters long and should consist of lower- and upper-case letters and digits. On no account should you use words that can be found in dictionaries, or spaces, or proper names, or names of and labels on objects within reach.
- Do not use a password that you use for authentication somewhere else. Although the password you use here is securely encrypted, this may not apply for services provided by others. With some free-mail providers, for example, the mail-password is transmitted unencrypted and can thus be easily intercepted.
- Never write down your password.
- When typing your password, make sure nobody looks over your shoulder..
- Change your password at regular intervals. To do so, please go to the LMU Portal
- Never pass on your password to another person: Make no exception, not even for friends. It happens every now and then that someone logs in with somebody else's login data. They may have been authorized by you to do so, but usually they are not familiar with the prevailing security guidelines and do not exercise the caution necessary to protect your password. (They may, for example, write the password down because they cannot memorize it, and then accidentally leave the note lying on the desk.)
We would like to point out that the rules stated in the previous passage are also specified by the Leibniz-Rechenzentrum in its Usage regulations of the Leibniz Supercomputing Centre under §4.3. These rules also address the Social Engineering problem. Social Engineering attacks are targeted at unsuspecting users of IT infrastructures, prompting them under false pretenses to provide sensitive information such as passwords, or information on security mechanisms or the network infrastructure.
It may also happen that you will be asked to expose your authentication and other sensitive data via e-mail or the Web (Phishing). In these cases, an official-looking message will be sent to you containing a link to an authentic-looking form, or you may be asked directly to give your authentication data. The Faculty's computer administration group (RBG) or the team of the Leibniz Supercomputing Centre (LRZ) would never address a request of this kind to you. If you receive a mail like this or encounter a website such as described above, please inform the Faculty's computer administration group (RBG) immediately.
3. The CIP pool of the Faculty of Physics
3.1. Logging into and out of the CIP pool computers
As you know, you can locally log into the CIP pool computers with your LMU name (without adding @campus.lmu.de). Attackers can already try to get your login data at this point - by showing you a fake login mask which will send your login data to them. Therefore please look closely to make sure it is the usual login screen, and do not enter your login data if you have any doubts with regard to the authenticity of the login request. There is a simple method to protect yourself against such an attack: Press STRG+ALT+DRUCK+K to restart the graphic interface.
The screen will turn black briefly and will then show the authentic login screen. By the way, you can use the same key combination to log in again after a crash, or to quickly end a hung-up log-out procedure. However, do not use this function routinely as it closes all programs without giving them the time they need to save their data.
Please do log out at the end of a session to avoid that someone else will use your account. This applies in particular to those consoles that are accessible via key combinations STRG+ALT+(F1 to F6), as these consoles are not automatically blocked after some time of inactivity.
If you start a long computation process and do not want to stay in the CIP room until it is finished, please tell the computer administration group. Otherwise they may close your programs after several hours and log you out in order to provide the computer's full capacity to other users.
You have a free allowance of 18 Euros per semester that you can use for prints. Please pay attention to which printer you send your printing job to, keeping in mind that there are also CIP computer workplaces and printers at Theresienstrasse. This will save you time and money. Please pick up the printed documents immediately, in particular personal and confidential documents, as the printers are freely accessible to everybody. It happens quite often that documents containing personal data are printed at another printer than intended and are not picked up. In the case of sensitive data, the computer administration group members reserve the right to destroy the documents that are not collected, or to store them in the administration room. If you miss a printed document, please go to the administration room and ask if it is there.
3.3. Data management and the allocation of rights
When you log into a CIP computer you will work in a multi-user system: Several users can be logged into a single computer at the same time (text consoles, SSH, graphic consoles, etc.), sharing its resources (CPU, hard disk, network). Linux has a sophisticated security model. However, you should not execute or open unknown files from the network. While there are few viruses for Linux and little probability of damage being caused to the overall system, your own data is very well susceptible to getting damaged by viruses and Trojans if you do not exercise the same care as you are supposed to when using Windows systems.
By default the rights in the CIP pool are set up to prevent other users from seeing the data in your home directory. However, due to an error on your side, you may accidentally give other users the right to see your data.
The /tmp and /large_tmp directories are writable and readable for all users. These directories are used for data that is created by programs for temporary use but not for permanent storage. The programs protect the data they store in the /tmp and /large_tmp directories by strict and correct limitation of access rights. However, if you yourself copy data to /tmp or /large_tmp without limiting access rights, they will be readable to all other users of the system.
Therefore, never work in the temporary directories (with the exception of poster printing).
Similarly, your home directory is only as secure as it is set up by you. Please follow the instructions below to ensure that your files are readable and writable only to yourself:
Open a console (for example, by pressing ALT+F2 and executing command console or xterm). To see the files in your home directory, use command
ls -l ~
"ls -l" lists the files in a directory, "~" symbolizes your home directory.
This is an example of a listing of files displayed after using "ls -l ~":
total 1228 drwx------ 2 Maximilian.Imgrund campususer 4096 2007-09-13 13:10 bin/ drwx------ 2 Maximilian.Imgrund campususer 4096 2008-06-19 14:30 Desktop/ drwx------ 2 Maximilian.Imgrund campususer 4096 2008-05-17 19:30 Documents/
Each file has an owner and a group (to allow more than one user to access the file). They are shown in columns 3 and 4, respectively. The first column is of particular interest, as it shows the rights allocated to the different parties. In each line the first character indicates the function of the file, the 3x3 characters that follow identify the rights allocated to the different parties.
- "d" stands for directory
- "d" is followed by 3x3 characters:
- the first 3 characters stand for the user's (i.e. the owner's) rights
- the second 3 characters stand for the group's rights
- the third 3 characters stand for the rights of further users, who are not part of the group
- The rights are:
- ”r” for read
- ”w” for write
- ”x” for execute
In normal files “execute” refers to a program, whereas in directories “execute” stands for the right to enter a directory. Furthermore, in directories “read” denotes the right of listing the contents of the directory, and “write” is the right to create or delete files in a directory.
The following example shows how to make your home directory accessible to you only:
Use the chmod program for the allocation of rights. The following command will make your home directory readable, writable and visible only to you:
chmod -R go-rwx ~
"R" stands for recursive, which instructs the program to process not only the target directory ~, but also all files and directories it contains. "g" stands for group, and "o" for others (not to mistake for u, which stands for user, i.e. the owner of the directory). In this case, "-" denies to the aforementioned the rights "rwx", i.e. read, write, execute. The last character stands for the target directory, in this case it is ~ , the home directory.
To check whether the command was effective, use again command "ls -l" to list the directory contents.
Tip: To get a detailed description of a command or program, use
3.4. Data transfer
Beside logging into the university's computers locally, you can also log into them from at home via SSH. Authentication and communication via SSH is encrypted and a secure method to use data from the CIP pool at home, or to transfer data from your home computer to the CIP pool. For this purpose several free tools are available for Windows. Under Linux, the standard tools SSH, SCP and Rsync are usually pre-installed. If possible, choose this method over sending data via e-mail, as e-mails are usually transmitted unencrypted and are not suitable for transferring large data volumes.
Please keep in mind that data from the Münchner Wissenschaftsnetz and from the chairs' and CIP pool servers may not be meant for the public. Please treat them accordingly. In particular, do not publish them, for example, by copying them into your unprotected homepage folder.
To make a file available to another user, you can copy it to the /large_tmp directory and allow the other user to make a copy of it. Then delete the file from the /large_tmp directory. However, a more direct and secure wayis using the following command:
scp examplefile.txt recipient.login@computername:
Replace "examplefile.txt" with the name of the file to be transferred, substitute "recipient.login" for the recipient's login name, and replace "@computername:" with the name of one of the computers in the CIP pool, without a blank in between. If you are logged into the CIP pool, you can also use "@localhost:" instead of a computer name. All the recipient needs to do is enter his or her password, and the file will be copied to his or her home directory. Using the same method, you can copy files from your home computer to a CIP pool computer, giving your own login name as recipient. You must keep the colon. After it, you can specify an alternative file name or sub-directory.
To transfer data from the CIP pool, you can also use an USB stick. However, these data will be mounted so that all users of the system can see them in the file directory. Therefore please check whether other users are logged into the computer using command
and use the USB stick only for a short time. In the case of sensitive data, it is recommended to either ask a member of the computer administration group to copy them for you - their computers are more protected - or to transfer the data another way, for example via SSH/SCP.
Homepages are no longer published by copying the public files into directory ~/public_html. A homepage server is now available for your personal homepage. This increases security significantly, as we can now separate internal information from the information to be published on the World Wide Web. You can upload your files either via Webmailer Horde - navigating to "My Account", "File Manager", "Web Home"- or via SCP / SSH as described above. The server's name is homepages.physik.uni-muenchen.de.
Please note:The files on the homepage server can be read by any other user with a CIP account (unless access rights to the files are changed). For several reasons, .htpasswd password protection provided by the web server is ineffective with users with a CIP account. Therefore please do not rely on this way of password protection, and do not provide sensitive data online.
3.5. Windows Terminal Server
You can log into a Windows server using command "win". Especially while surfing in the Internet, Windows systems are more vulnerable than Linux systems to attacks by malicious software, as authors of malware focus on Windows, which is used by the majority of computer users. You are therefore recommended to surf under Linux instead of using the Windows terminal server for surfing. Visit only trustworthy websites and execute only programs you know. As the capacity of the Windows Terminal Server is shared by all CIP users, please use the server's resources economically.
3.6. Use of the Internet
Please use the Internet access from the CIP pool primarily for academic purposes. You must not install file sharing programs or other programs that cause much data traffic. The LRZ is recording an increase in misuse, but still prefers not to further filter or limit data traffic. Please also keep in mind that data traffic incurs costs that are shared by the participating institutions. So be sure to make appropriate use of the Internet connection provided. Try to avoid producing accidental spam or other traffic caused by malicious software, and comply with the basic roles of secure surfing.
The LMU account was a huge and efficient step to unify and simplify the access for students. We are planning to make even more functions and exercises accessible via the internet through that account. It mainly depends on how secure the accounts are estimated to be, that this will be put into effect.
With a little self-discipline we have the chance to unify and shorten even more processes.
Us, the computer administration group (RBG), reckon that it would be reasonable to make the available capacities and computing power easily accessible to all members of the faculty of physics. We would also prefer to not have to filtrate the data traffic or check for IDs in the future. You, as a user of the CIP pool, can significantly contribute through individual responsibility to keep the usage of the PCs and other devices as unrestricted as it has been. We are always pleased to hear any critics or suggestions concerning the offered services.
Be on the safe side, it's worth it.
The computer administration group of the faculty of physics